Skip to main content

Lightweight EdDSA Signature Verification for the Ultra-Low-Power Internet of Things

  • 200 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 13107)

Abstract

EdDSA is a digital signature scheme based on elliptic curves in Edwards form that is supported in the latest incarnation of the TLS protocol (i.e. TLS version 1.3). The straightforward way of verifying an EdDSA signature involves a costly double-scalar multiplication of the form \(kP - lQ\) where P is a “fixed” point (namely the generator of the underlying elliptic-curve group) and Q is only known at run time. This computation makes a verification not only much slower than a signature generation, but also more memory demanding. In the present paper we compare two implementations of EdDSA verification using Ed25519 as case study; the first is speed-optimized, while the other aims to achieve low RAM footprint. The speed-optimized variant performs the double-scalar multiplication in a simultaneous fashion and uses a Joint-Sparse Form (JSF) representation for the two scalars. On the other hand, the memory-optimized variant splits the computation of \(kP - lQ\) into two separate parts, namely a fixed-base scalar multiplication that is carried out using a standard comb method with eight pre-computed points, and a variable-base scalar multiplication, which is executed by means of the conventional Montgomery ladder on the birationally-equivalent Montgomery curve. Our experiments with a 16-bit ultra-low-power MSP430 microcontroller show that the separated method is 24% slower than the simultaneous technique, but reduces the RAM footprint by 40%. This makes the separated method attractive for “lightweight” cryptographic libraries, in particular if both Ed25519 signature generation/verification and X25519 key exchange need to be supported.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-93206-0_16
  • Chapter length: 20 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-93206-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)

Notes

  1. 1.

    RFC 8032 [21] specifies besides the original EdDSA scheme also a pre-hash version that replaces the message M in Algorithm 1 by its hash value \(m = \textsc {Hash}(M)\). This pre-hashing potentially reduces the execution time and RAM requirements for large messages, but loses the collision-resilience feature of the original EdDSA.

  2. 2.

    The main difference between the simultaneous method and the interleaving method is that, in the latter case, the table entries are disjoint with respect to the two base points A and B (i.e. each pre-computed value involves only a single base point).

  3. 3.

    The specific Montgomery curve that is birationally-equivalent to the TE curve used by Ed25519 has the same parameter A as Curve25519 (i.e. \(A = 48662\) [4]), but the parameter B differs since \(B = -(A+2) = -48664\) instead of \(B = 1\).

References

  1. Antipa, A., Brown, D., Menezes, A., Struik, R., Vanstone, S.: Validation of elliptic curve public keys. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 211–223. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_16

    CrossRef  MATH  Google Scholar 

  2. Ateniese, G., Bianchi, G., Capossele, A.T., Petrioli, C.: Low-cost standard signatures in wireless sensor networks: a case for reviving pre-computation techniques? In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS 2013). The Internet Society (2013)

    Google Scholar 

  3. Bauer, J., Staudemeyer, R.C., Pöhls, H.C., Fragkiadakis, A.: ECDSA on things: IoT integrity protection in practise. In: Lam, K.-Y., Chi, C.-H., Qing, S. (eds.) ICICS 2016. LNCS, vol. 9977, pp. 3–17. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-50011-9_1

    CrossRef  Google Scholar 

  4. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_14

    CrossRef  Google Scholar 

  5. Bernstein, D.J.: Multi-user Schnorr security, revisited. Cryptology ePrint Archive, Report 2015/996 (2015). http://eprint.iacr.org/2015/996

  6. Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted Edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68164-9_26

    CrossRef  Google Scholar 

  7. Bernstein, D.J., Chuengsatiansup, C., Lange, T.: Double-base scalar multiplication revisited. Cryptology ePrint Archive, Report 2017/037 (2017). http://eprint.iacr.org/2017/037

  8. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_9

    CrossRef  Google Scholar 

  9. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)

    CrossRef  Google Scholar 

  10. Bundesamt für Sicherheit in der Informationstechnik (BSI): Elliptic Curve Cryptography. Technical Guideline TR-03111 (2012). http://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03111/BSI-TR-03111_pdf.html

  11. Chalkias, K., Garillot, F., Nikolaenko, V.: Taming the many EdDSAs. In: van der Merwe, T., Mitchell, C., Mehrnezhad, M. (eds.) SSR 2020. LNCS, vol. 12529, pp. 67–90. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64357-7_4

    CrossRef  Google Scholar 

  12. Cohen, H., Frey, G.: Handbook of Elliptic and Hyperelliptic Curve Cryptography, Discrete Mathematics and Its Applications, vol. 34. Chapmann & Hall/CRC, Sydney (2006)

    Google Scholar 

  13. Costello, C., Smith, B.: Montgomery curves and their arithmetic. J. Cryptogr. Eng. 8(3), 227–240 (2017). https://doi.org/10.1007/s13389-017-0157-6

    CrossRef  Google Scholar 

  14. Dang, D., Plant, M., Poole, M.: Wireless connectivity for the Internet of Things (IoT) with MSP430 microcontrollers (MCUs). Texas Instruments white paper, March 2014. http://www.ti.com/lit/wp/slay028/slay028.pdf

  15. de Meulenaer, G., Gosset, F., Standaert, F.X., Pereira, O.: On the energy cost of communication and cryptography in wireless sensor networks. In: Proceedings of the 4th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WIMOB 2008), pp. 580–585. IEEE Computer Society Press (2008)

    Google Scholar 

  16. de Valence, H.: It’s 255:19AM. Do you know what your validation criteria are? Blog post (2020). http://hdevalence.ca/blog/2020-10-04-its-25519am

  17. Düll, M., et al.: High-speed Curve25519 on 8-bit, 16-bit and 32-bit microcontrollers. Des. Codes Crypt. 77(2–3), 493–514 (2015)

    MathSciNet  CrossRef  Google Scholar 

  18. Gouvêa, C.P., Oliveira, L.B., López, J.: Efficient software implementation of public-key cryptography on sensor networks using the MSP430X microcontroller. J. Cryptogr. Eng. 2(1), 19–29 (2012)

    CrossRef  Google Scholar 

  19. Hankerson, D.R., Menezes, A.J., Vanstone, S.A.: Guide to Elliptic Curve Cryptography. Springer, New York (2004). https://doi.org/10.1007/b97644

    CrossRef  MATH  Google Scholar 

  20. Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted Edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_20

    CrossRef  Google Scholar 

  21. Josefsson, S., Liusvaara, I.: Edwards-Curve Digital Signature Algorithm (EdDSA). Internet Research Task Force, Crypto Forum Research Group, RFC 8032, January 2017

    Google Scholar 

  22. Kiltz, E., Masny, D., Pan, J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 33–61. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_2

    CrossRef  Google Scholar 

  23. Liu, A., Ning, P.: TinyECC: a configurable library for elliptic curve cryptography in wireless sensor networks. In: Proceedings of the 7th International Conference on Information Processing in Sensor Networks (IPSN 2008), pp. 245–256. IEEE Computer Society Press (2008)

    Google Scholar 

  24. Liu, Z., Großschädl, J., Li, L., Xu, Q.: Energy-efficient elliptic curve cryptography for MSP430-based wireless sensor nodes. In: Liu, J.K., Steinfeld, R. (eds.) ACISP 2016. LNCS, vol. 9722, pp. 94–112. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40253-6_6

    CrossRef  Google Scholar 

  25. Liu, Z., Longa, P., Pereira, G.C.C.F., Reparaz, O., Seo, H.: Four\(\mathbb{Q}\) on embedded devices with strong countermeasures against side-channel attacks. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 665–686. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66787-4_32

    CrossRef  MATH  Google Scholar 

  26. Liu, Z., Wenger, E., Großschädl, J.: MoTE-ECC: energy-scalable elliptic curve cryptography for wireless sensor networks. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 361–379. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07536-5_22

    CrossRef  MATH  Google Scholar 

  27. Marín, L., Pawlowski, M.P., Jara, A.J.: Optimized ECC implementation for secure communication between heterogeneous IoT devices. Sensors 15(9), 21478–21499 (2015)

    CrossRef  Google Scholar 

  28. Möller, B.: Algorithms for multi-exponentiation. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 165–180. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45537-X_13

    CrossRef  Google Scholar 

  29. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)

    MathSciNet  CrossRef  Google Scholar 

  30. National Institute of Standards and Technology (NIST): Digital Signature Standard (DSS). FIPS Publication 186–4, July 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf

  31. Okeya, K., Sakurai, K.: Efficient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the y-coordinate on a montgomery-form elliptic curve. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 126–141. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44709-1_12

    CrossRef  Google Scholar 

  32. Pabbuleti, K., Mane, D., Schaumont, P.: Energy budget analysis for signature protocols on a self-powered wireless sensor node. In: Saxena, N., Sadeghi, A.-R. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 123–136. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13066-8_8

    CrossRef  Google Scholar 

  33. Pendl, C., Pelnar, M., Hutter, M.: Elliptic curve cryptography on the WISP UHF RFID tag. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 32–47. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-25286-0_3

    CrossRef  MATH  Google Scholar 

  34. Rescorla, E.K.: The Transport Layer Security (TLS) Protocol Version 1.3. Internet Engineering Task Force, Network Working Group, RFC 8446, August 2018

    Google Scholar 

  35. Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    MathSciNet  CrossRef  Google Scholar 

  36. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22

    CrossRef  Google Scholar 

  37. Solinas, J.A.: Low-weight binary representations for pairs of integers. Technical report, CORR 2001–41, Centre for Applied Cryptographic Research (CACR), University of Waterloo, Waterloo, Canada (2001)

    Google Scholar 

  38. Texas Instruments Inc: MSP430x1xx Family User’s Guide (Rev. F). Manual, February 2006. http://www.ti.com/lit/ug/slau049f/slau049f.pdf

Download references

Acknowledgements

Zhe Liu is supported by the National Key R&D Program of China (Grant No. 2020AAA0107703), the National Natural Science Foundation of China (Grants No. 62132008, 61802180), the Natural Science Foundation of Jiangsu Province (Grant No. BK20180421), and the National Cryptography Development Fund (Grant No. MMJJ20180105).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Johann Großschädl .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Großschädl, J., Franck, C., Liu, Z. (2021). Lightweight EdDSA Signature Verification for the Ultra-Low-Power Internet of Things. In: , et al. Information Security Practice and Experience. ISPEC 2021. Lecture Notes in Computer Science(), vol 13107. Springer, Cham. https://doi.org/10.1007/978-3-030-93206-0_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-93206-0_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-93205-3

  • Online ISBN: 978-3-030-93206-0

  • eBook Packages: Computer ScienceComputer Science (R0)